“We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

Flashpoint told Brian Krebs that a specific set of credentials scanned for by Mirai bots – username: root and password: xc3511 – is hardcoded into the device firmware of a number of IoT devices produced by a a Chinese company called XiongMai Technologies, meaning someone can’t change an affected device’s username or password via a web admin panel.

Perhaps in recognition of that fact, XiongMai Technologies issued a recall of millions of its network cameras and other devices on 24 October.

In a statement, the Chinese company says three conditions must all be met for hackers to obtain access to the products:

The devices must predate April 2015 when XiongMai Technologies instituted a new firmware upgrade program.

The default login credentials must still be activated on those products.

A public network must directly expose itself to the devices without the use of a firewall.

XiongMai Technologies says hackers can’t abuse its products absent any one of those criteria.

In support of that argument, the Chinese Ministry of Justice released its own statement saying it will seek legal action against any entity whose comments damage the reputation of the Chinese company.

As translated by Google Translate:

“For the relevant organizations or individuals [that issue] false statements… [or] slander our goodwill behavior, our company has made relevant evidence preservation… such… [that if they fail[ to stop [the] infringement or infringement damage to the consequences of… [their remarks], then we will [pursue] further [action] through the legal channels[.] All the legal rights of all the tortfeasors shall be investigated, and we reserve the right to pursue the law.”

Whether the Chinese government would be willing to act on that threat remains to be seen. Brian Karas of IPVM told Krebs it’s simply “a PR effort within China, to help counter criticisms they are facing.”

DYN’s investigation into the attack on 22 October is still ongoing as of this writing.